Last week, a Florida detective made a startling public announcement: a judge had ruled he could permit him to have access to the privacy settings of the 1.2 million users of GEDmatch, a personal genomics database and genealogy website that was used by police to identify a suspect in the Golden State Killer case in California in 2018.
Detective Michael Fields of the Orlando Police Department, determined to solve a decades-old case of a serial rapist, appealed to Judge Patricia Strowbridge of the Ninth Judicial Circuit Court of Florida to approve a warrant permitting him to override the privacy settings of GEDmatch’s users, according to The New York Times. Once Patricia Strowbridge consented, GEDmatch let Fields have access less than 24 hours later, according to Fields.
20 million people have uploaded their genetic profiles to consumer DNA sites, but the two major sites, Ancestry.com, which has 15 million users, and 23andMe, which boasts 10 million, have stated they will respect their customers’ privacy. The Times added, “GEDmatch, severely restricted police access to its records this year.”
After the judge’s decision had been rendered, NYU law professor Erin Murphy warned, “That’s a huge game-changer. The company made a decision to keep law enforcement out, and that’s been overridden by a court. It’s a signal that no genetic information can be safe.” She added, “I have no question in my mind that if the public isn’t outraged by this, they will go to the mother lode: the 15-million-person Ancestry database. Why play in the peanuts when you can go to the big show?”
Yaniv Erlich, the chief science officer at MyHeritage, a genealogy database, echoed, “They won’t stop here.”
The Times noted that if the genealogy sites grant access to their records, people who have never taken a DNA test could be affected because a DNA profile could be derived from distant family relationships.
After the Golden State Killer case, in which the killer himself was not in the database but a distant relative whose DNA partially matched evidence related to the killer, the detectives narrowed the pool of suspects to a single family, as The Washington Post reported.
One genealogist protested the use of the genealogy site, writing:
Bottom line: nobody but nobody can give informed consent for someone else. Nobody but nobody has the right to make decisions for DNA testers other than the DNA testers. Informed consent is the essential underpinning of ethical DNA testing and results-sharing. As set out in the new DNA standards and ethical rules adopted by the Board for Certification of Genealogists, ethical genealogists do not make decisions for others, but instead make full disclosure of the risks and benefits and then “request and comply with the signed consent, freely given by the person providing the DNA sample or that person’s guardian or legal representative” And it is now a written standard that “Genealogists share living test-takers’ data only with written consent to share that data.”
In May, 2019, GEDmatch shifted their policy so that law enforcement agents could only have access to the profiles of users who had opted in to such requests. The Times noted parenthetically, “As of last week, according to the GEDmatch co-founder Curtis Rogers, just 185,000 of the site’s 1.3 million users had opted in.”
The Times concluded, “Because of the nature of DNA, every criminal is likely to have multiple relatives in every major genealogy database. Without an outcry, Professor Murphy and others said, warrants like the one obtained by Detective Fields could become the new norm, turning all genetic databases into law enforcement databases.”
A spokesman for 23andMe, Christine Pai, emailed the Times, “We never share customer data with law enforcement unless we receive a legally valid request such as a search warrant or written court order. Upon receipt of an inquiry from law enforcement, we use all practical legal measures to challenge such requests in order to protect our customers’ privacy.”